Networking - isaachicks/COSC Wiki

NETWORKING #DAY 1 NETWORKING FUNDAMENTALS 1 bit = flag 4 bits = nibble 8 bits = byte 16 bits = half word 32 bits = word 64 bits = very long word Encapsulation is like putting a wrapper, (eg. a header and a tail) around the data, to provide more information about the packet. Use technical papers, like RFC's from IETC, IEEE or IANA to help. quad 0 in netstat means anything can access it; 127.0.0.1 means only the local device can access it TCP6 is used for IPv6 sendp for Layer2 ; send for everything else ETHERNET TYPES 0x0800 = IPv4 0x0806 = ARP 0x86DD = IPv6 0x8100 = VLAN tag

#DAY 2 NETWORKING FUNDAMENTALS Fragment Offset is a counter for the router to know where it is at in the packet MF Flag OR offset = more fragmentation ; means the packet is fragmented Fragment offset formula: (MTU - (IHL x 4))/8 BERKLEY PACKET FILTERS only accepts 1,2,4 byte lengths SAMPLE FILTER = tcpdump 'A[B(byte number):C(byte field length] D E F G' tcpdump 'ether[12:2] = 0x0800 && (tcp[2:2]!=22 && tcp[2:2]!=23)' bitwise masking to look at a specific bit ; ip[0] & 0x0F > 0x05 ip header byte 0 and look at bit tcp[13] & 0xFF = 0x11 tcp[13] & 0x11 != 0

Most Exclusive vs Least Exclusive Most Exclusive means Everything Must Match 100% ; equivilent to 0xFF ; looks at EVERY bit Least Exclusive means only one thing must match for a specific bit when its on ;

#DAY 4 NETWORK RECONNAISSANCE

Reconnaissance types: *Active - *Passive - not straight-forward, no interaction, lower risk of discovery - Goal is to identify IPs and sub-domains, external and 3rd party sites, people and tech, content of interest, and vulnerabilities - Tools include WHOIS queries, job site listings, phone numbers, Google searches, passive OS fingerprinting - Shodan, Google dorking, netcraft, wayback machine, *Internal - *External

Network scanning types: *Remote to Local *Local to Remote *Local to Local *Remote to Remote

Ping Sweep script: for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done curl cht.sh/nc duckduckgo, enter a ip and cidr, gives everything show config on VyOS show int nmap -Pn -p 21-25,80 wget -r (for web server) wget -r ftp:// (for ftp server) netcat to banner grab from ports

#DAY 5 how to make a named pipe: mkfifo pipename nc -lp > pipename | nc -lp < pipename ssh -L :: -p ssh [email protected] -L 1111:127.0.0.1:80 -NT for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done

#DAY 6 P0F - passive OS fingerprinting snort -c (config file) -r (pcap file)

#DAY 7 Device Filtering Mechanism OSI Layer Switch PACL, VACL, ACL Layer 2,Layer 3 Router ACL Layers 3 & 4 Proxies Content-based such as: Layers 3-7 URL&DNS blacklists MIME filtering, content keyword filtering Intrusion Detection& Signatures Layers 3-7 Prevention Systems
Host-based Firewall Rules Layers 3-7 Network Firewall Rules Packet Filtering(stateless) Layers 3&4 Stateful(connection based) Layers 3&4 Application Layer FW Layers 3-7 Next Generation FW Layers 3-7 Post-Routing is for created or changed packets sudo iptables -t (table) -A (append) [chain] [rules] -j (action) -i [iface], -s [ip.add | network mask], -p [protocol(in ipv4 header)]

Three Chain Types: filter - arp,bridge, ip, ip6, inet route - ip, ipv6 nat - ip, ip6

Command to create table: nft add table [family] [table] (family = ip,ip6,inet,arp,bridge,netdev) (table=user name for table) nft add chain [family] [table] [chain] { type [type] hook [hook] priority [priority] ; policy [policy] ;} nft add chain [family] [table] [chain=chain name] [type=filter,route,nat] [hook=preroute,ingress,input,forward,output,postroute] [priority=0] ; [policy = accept] ; nft add rule [family] [table] [chain] [matches (matches] [statement=action performed when packet is matched,ex. log, accept, drop, reject, counter, nat (dnat, snat, masquerade)] (can also add, insert, replace, delete)

EXAMPLE COMMANDS: look at default tables - sudo iptables -L look at other default tables - sudo iptables -t (table type) -L flush default table - sudo iptables -F flush other tables - sudo iptables -t (table type) -F add rule - sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT add rule - sudo iptables -A INPUT -p tcp --sport 22 -j ACCEPT add rule - sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT add rule - sudo iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT add rule - sudo iptables -A INPUT -p tcp -m multiport --ports 22,6010,6011,6012 -m state --state NEW,ESTABLISHED -j ACCEPT add rule - sudo iptables -A OUTPUT -p tcp -m multiport --ports 22,6010,6011,6012 -m state --state NEW,ESTABLISHED -j ACCEPT show line numbers - sudo iptables -L --line delete rule - sudo iptables -D OUTPUT 4 change default policy - sudo iptables -P FORWARD DROP allow from a specific host - sudo iptables -A INPUT -s 172.16.82.112 -j ACCEPT change defaults - for CHAIN in INPUT OUTPUT FORWARD; do sudo iptables -P $CHAIN ACCEPT;done drop invalid fragments - sudo iptables -A INPUT -m state --state INVALID -j DROP drop fragments - sudo iptables -A INPUT -f -j DROP drop more than 1 syn packet per 10 seconds - sudo iptables -A INPUT -i eth0 -p tcp --syn -m limit --limit 10/second -j ACCEPT restore rules - sudo iptables-restore < ipt.conf -v write config to a file - sudo iptables-save > ipt.conf for CHAIN in INPUT OUTPUT FORWARD; do sudo iptables -P $CHAIN ACCEPT;done

NFTABLES sudo nft add table ip (NAME) sudo nft list tables sudo nft flush table ip CCTC sudo nft delete table ip CCTC sudo nft add chain ip CCTC input { type filter hook input priority 0 ; policy accept ; } sudo nft add chain ip CCTC output { type filter hook output priority 0 ; policy accept ; } sudo nft insert rule ip CCTC input tcp dport 22 accept sudo nft insert rule ip CCTC input tcp sport 22 accept sudo nft insert rule ip CCTCO output tcp dport 22 accept sudo nft insert rule ip CCTC output tcp sport 22 accept sudo nft list ruleset -ann sudo nft add rule ip CCTC input tcp sport {22, 6010, 6011, 6012} accept sudo nft add rule ip CCTC input tcp dport {22, 6010, 6011, 6012} accept sudo nft add rule ip CCTC output tcp sport {22, 6010, 6011, 6012} accept sudo nft add rule ip CCTC output tcp dport {22, 6010, 6011, 6012} accept sudo nft add route ip CCTC input ip saddr 172.16.82.112 drop sudo nft add route ip CCTC output ip daddr 172.16.82.112 drop sudo nft add route ip CCTC input ip saddr 10.10.0.40 accept sudo nft add route ip CCTC output daddr 10.10.0.40 accept sudo nft delete rule ip CCTC input handle 4 sudo nft list ruleset > nft.conf sudo nft flush table ip CCTC

TUNNEL DEMO IH ----------------> this_guy ------------------> THAT GUY -----------------> [email protected] ssh @this_guy_IP -D 9050 [email protected] ssh @this_guy_IP -L 11600:THAT_GUY_IP:23 [email protected] telnet localhost 11600 -L net1_student16 @THAT_GUY: ssh @THIS_GUY_IP -R 116009:localhost: [email protected] ssh @this_guy_IP -L 11601:localhost:11609 [email protected] ss -ntlp @IH ssh @localhost -p 11601 @[email protected] ssh @localhost -p 11601 @THAT_GUY: ssh SCOOBY_IP @SCOOBY: exit @THAT_GUY: exit @IH ssh @localhost -p 11601 -L 11602:SCOOBY:22 [email protected] ssh @localhost -p 11602MY EXMAPLE:ssh [email protected] -p 7777 -L 11600:10.2.2.7:23 -NTssh [email protected] -p 7777 -R 11609:localhost:2222 -NTssh ne[email protected] -p 7777 -L 11602:localhost:11609 -NT (Alter as necessary to move to different boxes)ssh [email protected] -p 11602 -D 9050 -NT (Alter as necessary to move dynamic port)

⚠️ **GitHub.com Fallback** ⚠️